PayPal to combat phishing with key fobs

PayPal is releasing security key fobs with changing six-digit codes that will …

In an effort to protect users from fraud and phishing schemes, eBay subsidiary PayPal is preparing to offer secure key fobs. The devices, which display a six-digit code that changes every 30 seconds, will be made available free to all PayPal business users, and will cost $5 for all personal PayPal account users. Those who opt in on the key fob will have to enter the six-digit code when logging in to PayPal.

PayPal's use of key fobs represents what is called two-factor authentication, a login system in which an additional form of device-oriented verification is used in addition to a conventional password. Two-factor authentication is advantageous because it prevents a user's account from being stolen when one of the two authentication forms is compromised. For instance, if user's password is stolen, the thief still wont be able to access the account without the device and vice versa. It is hoped that this extra level of security will insulate users from the effects of Internet password theft. Last year, the Federal Financial Institutions Examination Council issued guidance reports stating that single-factor authentication is inadequate for financial institutions.

The new PayPal fobs, which were developed with the assistance of eBay partner VeriSign, have been undergoing testing by PayPal employees and will be available to PayPal customers in the United States, Australia, and Germany during the initial trial roll-out.

Security experts say that eBay and PayPal are by far the sites most frequently targeted by phishing scams. Perusal of Google's anti-phishing blacklist shows that eBay and PayPal scams together make up about 50 percent of known phishing sites documented by Google.

For most financial web services, the biggest security vulnerability of all can't be patched with new software because it is typically found between the keyboard and the chair of the end user. All too often users reveal their password or their banking information to total strangers without realizing that they have been had. Although security key fobs are not likely to solve the problem overnight, it is a reasonable way to limit the destructive potential of large-scale phishing operations. Unfortunately, phishing sites are already starting to catch on. A group of scammers from Russia implemented a Citibank phishing site last year that requested the key fob code as well as the password, and then connected to the real Citibank web site within the requisite amount of time. It is likely that advanced scammers will attempt to use similar techniques to continue taking advantage of PayPal users.